Technology Brief Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters for In-line Server Appliances Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters for In-line Server Appliances The world s first native PCI Express* Gigabit Ethernet Quad Port Bypass Server Adapters with the Intel 82571GB GbE Controller provide in-line server appliances, such as intrusion prevention servers, with high-performance, low-latency, in-line connectivity and a bypass mode to help ensure business continuity. Enterprises are growing more complex with data and voice convergence, collaboration over wide area networks (WANs), and dynamic Web services. To meet this challenge, information technology (IT) managers must be able to monitor, analyze, and optimize local area network (LAN) traffic to ensure quality of service, application service levels, and security. This has resulted in a proliferation of application-specific server appliances for real-time traffic analysis and inspection, data acceleration, and traffic shaping. Application-specific server appliances are commonly built with standard server building blocks often Intel architecture blocks and perform an application-specific function. These appliances are not typically in-line devices. Because they are not endpoints and do not process network data packets, the network sees them as bump-in-the-wire networking devices. Many of these appliances hang off a span or an expensive tap, allowing the traffic to be duplicated and sent to the server appliance for analysis. Today, however, there is an increasing need for server appliances that can act in real time on network traffic to prevent problems, especially network intrusions, rather than just detect them. To do this, server appliances are being moved in line with the network traffic flow. Examples of server appliances that are now moving in line are the intrusion prevention server and the internal security gateway.
Technology Brief Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters for In-line Server Appliances Intrusion Prevention Servers and Business Continuity Cyber attacks on enterprise networks continue to increase in variety, frequency, and intensity. Worms, viruses, Trojan horses, denial of service (DoS), identity theft, and other attacks cost businesses worldwide an estimated USD 100 billion annually. As a result, enterprises are becoming increasingly proactive in combating cyber attacks. In turn, this has led to an increased demand for the protective advantages of network integrated security appliances (ISAs), particularly those that deal with attacks before they even enter the network. Increasingly, enterprises are turning to ISAs that are specialized security servers located at the network gateway to stop attacks at the network edge. One class of such servers is the intrusion detection server (IDS). An IDS sits at the edge of the network or at critical subsegments and monitors all network traffic for anomalous data conditions indicating a possible attack. A more proactive approach, however, is the intrusion prevention server (IPS), which not only detects but also blocks or prevents intrusions. Even more recently, security began moving to the network core with internal security gateways to prevent attacks from inside the network. Rather than residing to the side of the network on a span or tap like an IDS, an IPS resides in line with the network s critical path (see Figure 1). This allows the IPS to monitor all network traffic flow and to detect and block traffic anomalies in real time using Layer 2 through Layer 7 signature-based and protocol-based analysis. From a network performance viewpoint, the key concerns with the IPS approach are its in-line and real-time requirements. To be real-time or near real-time, the IPS network connection must have high bandwidth and minimum latency. Moreover, because it is in line with the critical path, the IPS must be able to fail safely; otherwise, an IPS failure or instability could bring down the entire network. To address these concerns, Intel has designed a family of Gigabit Ethernet (GbE) quad port bypass server adapters specifically for intrusion prevention servers and other in-line appliances. These server adapters the Intel PRO/1000 PT Quad Port Bypass Server Adapter for Intel PRO/1000 PT Dual Port Server Adapter Intel PRO/1000 PT Dual Port Server Adapter Intel PRO/1000 PT Quad Port Bypass Server Adapter (for fiber) or Intel PRO/1000 PF Quad Port Bypass Server Adapter (for copper) Department Workgroup Servers Intrusion Prevention Server Workgroup Switch Workgroup Switch The WAN Outside Internet Connection Router Department Workgroup Servers Intel PRO/1000 PT Dual Port Server Adapter Intel PRO/1000 PT Dual Port Server Adapter Figure 1. Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters provide high-performance, fail-safe Gigabit Ethernet connectivity for intrusion prevention servers. 3
Technology Brief Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters for In-line Server Appliances copper connectivity and the Intel PRO/1000 PF Quad Port Bypass Server Adapter for fiber connectivity include the following performance-enhancing features for IPS applications: Bypass mode to help ensure network business continuity PCI Express* (PCIe*) GbE connectivity for higher bandwidth Quad port GbE for high I/O, slot-constrained appliances Intel I/O Acceleration Technology (Intel I/OAT) for moving network data more efficiently through Dual- Core Intel Xeon processor-based servers for fast, scalable, and reliable networking Optional network interface card (NIC)-in-front (NIF) feature for easy front-panel access to LAN I/O ports Bypass Mode Helps Ensure Business Continuity Business continuity is a major concern with the IPS approach. Because the IPS server is in line with the data flow, as shown in Figure 1, problems with the server or its operating system (OS) can disconnect the enterprise network from the WAN or Internet. Such a disconnect from the outside world interrupts business continuity in that incoming sales orders, outgoing purchase orders, deposits, withdrawals, and other external transactions can no longer be performed. Implementing dual or redundant traffic paths in the most critical network areas is a possible solution, but it becomes a financially impractical option as threats spread through the network and to branch offices. To help maintain business continuity in the event of an IPS failure, Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters provide a programmable bypass mode. The bypass mode automatically activates upon programmed detection of an IPS power-down, BIOS boot, or an OS or application program failure. When a detected failure occurs, mechanical relays switch the network traffic so it flows out the second port of the pair on the adapter, bypassing the problem server appliance and maintaining business continuity. Printed Circuit Board LC Duplex Adapter Transmit Receive Small Form Factor Transceiver Normal Mode LC Duplex Adapter Dual 2 x 2 Switch Transmit Receive Small Form Factor Transceiver System Chassis Switch Control Circuit Printed Circuit Board LC Duplex Adapter Transmit Receive Small Form Factor Transceiver Bypass Mode LC Duplex Adapter Dual 2 x 2 Switch Transmit Receive Small Form Factor Transceiver System Chassis Switch Control Circuit Figure 2. Intel PRO/1000 PF Quad Port Bypass Server Adapter with its pair of ports in normal mode (top) and in bypass mode (bottom). 4
Figure 2 further illustrates this bypass operation. The top illustration shows a pair of ports on the Intel PRO/1000 PF Quad Port Bypass Server Adapter operating in the normal in-line mode, and the illustration on the bottom shows the adapter switches in bypass mode. The bypass circuit operates even in the absence of power so that the network connection is always maintained, even with the server powered down. Additionally, IT managers can program bypass mode to enable it for testing or to disable it to turn the adapter into a standard GbE server adapter. PCI Express, Quad Port GbE Connectivity for Higher Bandwidth Use of a quad port GbE adapter for any server and especially IPSs is particularly advantageous. Quad port PCI Express (PCIe) server adapters provide four network connections from a single server slot, thus conserving server slots for other applications while taking full advantage of the bandwidth provided by the new PCIe x4 slots. Just as important, the multiple GbE ports allow traffic capacity to be increased through various techniques, including teamed links or ports and network segmentation. In the case of an IPS, at least two ports are required to support IPS in-line operation. One port provides the outside connection to the network or segment edge. Traffic from this outside port passes into the IPS and the IPS analyzes the traffic for anomalous conditions. The sanitized traffic then passes from the IPS through the second, inside port to the network under IPS prevention. In the case of the Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters, four ports are provided. There are two outside ports and two corresponding inside ports. This allows essentially a doubling of GbE traffic capacity by allowing the IPS to protect two links or network segments at once. This is illustrated in Figure 1, where one IPS receives incoming traffic off two links from the router and passes the protected traffic to two different workgroup switches. To help ensure availability of the full bandwidth potential of GbE connectivity, the Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters use the PCIe architecture for server I/O, rather than the PCI or PCI-X bus. As opposed to the PCI or PCI-X shared, multi-drop, parallel-bus structure, the PCIe interface is a dedicated point-to-point serial bus with a unidirectional raw bandwidth of 2.5 Gigabits per
Technology Brief Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters for In-line Server Appliances second (Gbps) for a x1 ( by one ) bus lane. The Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters are scaled up to x4 PCIe lanes, providing four times the bus bandwidth of a single (x1) PCIe lane. Also, PCIe lanes are bi-directional: a transmit path and a receive path allow simultaneous transmission and reception. In contrast, PCI and PCI-X are limited to either transmitting or receiving at any given time, which injects latency when a transmit process is forced to wait for a receive process to complete before transmitting. Such latency does not occur with PCIe because it is bi-directional, and the adapter does not have to contend with other devices for the bus. Another feature critical to in-line appliances is the ability to handle the full traffic flow of the network without adding latency, especially for the small data packets typical of network front ends. To verify capability for this, Intel tested the new Intel 82571GB Gigabit Ethernet Controller used in the Intel PRO Quad Port Bypass Server Adapters with a special hardware performance driver in a stackless loop-back mode. At 64-byte packets and larger, Intel measured on both ports simultaneously a full bi-directional wire-speed line rate (measured as packets per second) and bit-stream and payload throughputs up to the theoretical maximum. This gives the Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters the potential for providing the best possible small-packet hardware performance for optimizing in-line appliance applications. Intel I/O Acceleration Technology Moves Network Data More Efficiently The Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters also incorporate the new Intel I/OAT. Intel I/OAT is an evolving platform-wide technology that moves network data more efficiently through Dual-Core Intel Xeon processor-based servers for fast, scalable, and reliable networking. It improves network application responsiveness by unleashing the power of Intel Xeon processors through more efficient network data movement and reduces system overhead, plus it scales seamlessly across multiple Ethernet ports. Intel I/OAT addresses all segments of the server I/O bottleneck problem and does it by using TCP/IP without requiring any modification of existing or future applications. The system-wide network I/O acceleration technologies applied by Intel I/OAT are summarized in Figure 3 and include network flow affinity, asynchronous low-cost copy, and improved TCP/IP protocol with an optimized TCP/IP stack. In the Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters, Intel I/OAT is supported through packet-oriented routines that provide header splitting and interrupt moderation. Header splitting separates the TCP/IP packet header and payload for faster processing of each on separate, parallel paths. Interrupt moderation collects interrupts at the adapter and only interrupts the CPU to handle a larger set of packets at a time. Optimized TCP/IP protocol stack with enhancements Server with Intel I/O Acceleration Technology Balanced network processing on multiple CPUs with network flow affinity Enhanced direct memory access with asynchronous low-cost copy Network Data Stream Figure 3. Intel I/OAT moves network data more efficiently through Dual-Core Intel Xeon processor-based servers. 6
Technology Brief Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters for In-line Server Appliances Both header splitting and interrupt modulation provide for greater packet handling efficiency through the adapter. The result is greater throughput, and this can be further amplified when Intel PRO/1000 PT and PF Quad Port Bypass Adapters are used with the Intel I/OAT capabilities of Dual-Core Intel Xeon processor-based servers. NIC-in-Front Access to LAN I/O Ports Because of the critical nature of IPS and other in-line appliances to the enterprise network, IT managers may perform frequent monitoring of the NIC I/O ports. To make this easier, bypass adapter versions are available with NIF access to the LAN I/O ports. NIF provides a front-panel connector and the corresponding light-emitting diode (LED) and cable assemblies to allow port access and LED displays at the front of the server, while the adapter remains in the rear of the chassis in a standard motherboard. These new adapters are the world s first native PCIe quad port bypass adapters, and they join a long line of Intel firsts in NIC technology, including the world s first 10 GbE adapter. Like all of the GbE adapters in Intel s broad product line, the Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters are supported by open-source drivers that reflect the extensive engagement Intel maintains with the open-source community. In fact, Open Source Linux* and FreeBSD* reference drivers are available on request for integration into your solution. For more information on Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters for in-line server appliances, contact your Intel Sales Representative or visit www.intel.com/go/bypassadapters Safe and Easy IPS Connectivity The Intel PRO/1000 PT and PF Quad Port Bypass Server Adapters provide safe and easy in-line appliance connectivity, because they are designed to meet in-line appliance needs with multiple GbE ports for in-line connectivity and a fail-safe bypass mode. Additionally, these adapters supersede PCI and PCI-X with the much faster third-generation PCIe serial bus for greater throughput, and they use Intel I/OAT for further performance enhancement, including the reduced overhead so important to IPS applications. 7
Copyright 2006 Intel Corporation. All rights reserved. Intel, the Intel logo, Intel. Leap ahead. and Intel. Leap ahead. logo, and Xeon are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others. Printed in USA 0606/BY/PMS/PP/1K Order Number: 313587-001US